A tcpdump Tutorial with Examples

tcpdump is the world’s premier network analysis tool—combining both power and simplicity into a single command-line interface. This guide will show you how to use it.

tcpdump is a powerful command-line packet analyzer. It allows you to capture and inspect network traffic in real-time. This tool is invaluable for network administrators, security professionals, and anyone who needs to understand network behavior.

In this tutorial, we’ll explore 50 practical examples of using tcpdump. These examples will cover a wide range of use cases, from basic traffic capture to advanced filtering and analysis.

Basic Syntax

The basic syntax of tcpdump is:

tcpdump [options] [expression]

• options: Modify the behavior of tcpdump, such as specifying the interface to capture on or the output format.
• expression: Defines what kind of traffic to capture. This is where you specify hostnames, IP addresses, ports, protocols, and other criteria.

Capturing Traffic on an Interface

To capture all traffic on a specific interface, use the -i flag followed by the interface name. For example, to capture traffic on the eth0 interface:

To see a list of all available interfaces, use the command:

Capturing Traffic to/from a Specific Host

To capture traffic to or from a specific host, use the host keyword followed by the hostname or IP address:

tcpdump host 192.168.1.100

This will capture all traffic to and from the host with the IP address 192.168.1.100.

Capturing Traffic on a Specific Port

To capture traffic on a specific port, use the port keyword followed by the port number:

This will capture all traffic on port 80 (HTTP).

Combining Filters

You can combine filters using and, or, and not operators. For example, to capture all traffic to or from host 192.168.1.100 on port 80, use:

tcpdump host 192.168.1.100 and port 80

To capture traffic from 192.168.1.100 on either port 80 or 443, use:

tcpdump src host 192.168.1.100 and ( port 80 or port 443 )

Advanced Filtering

Filtering by Protocol

To filter by protocol, use the ip, tcp, udp, or other protocol keywords. For example, to capture only TCP traffic:

To capture only UDP traffic:

Filtering by Source or Destination

To filter by source or destination host or port, use the src or dst keywords:

tcpdump src host 192.168.1.100

This will capture all traffic from the host 192.168.1.100.

tcpdump dst port 443

This will capture all traffic destined for port 443.

Filtering by Network

To capture traffic within a specific network, use the net keyword:

tcpdump net 192.168.1.0/24

This will capture all traffic within the 192.168.1.0/24 network.

Saving Captured Traffic to a File

To save captured traffic to a file, use the -w flag followed by the filename:

tcpdump -w capture.pcap -i eth0

This will save all captured traffic on the eth0 interface to the file capture.pcap.

You can later analyze this file using tcpdump or another packet analyzer like Wireshark.

Reading Captured Traffic from a File

To read captured traffic from a file, use the -r flag followed by the filename:

tcpdump -r capture.pcap

This will read and display the traffic from the file capture.pcap.

Verbosity

You can control the verbosity of tcpdump output using the -v, -vv, or -vvv flags.

• -v: Verbose output.
• -vv: More verbose output.
• -vvv: Most verbose output.

For example:

50 tcpdump Examples

Here are 50 tcpdump examples to help you isolate traffic in various situations:

1. Capture all traffic on interface eth0:
2. Capture all traffic on interface wlan0:
3. Capture traffic to or from host 192.168.1.100:
   bash

   tcpdump host 192.168.1.100

   1

4. Capture traffic to or from host example.com:
   bash

   tcpdump host example.com

   1

5. Capture traffic on port 80 (HTTP):
6. Capture traffic on port 443 (HTTPS):
7. Capture traffic on port 22 (SSH):
8. Capture traffic on port 21 (FTP):
9. Capture traffic on port 25 (SMTP):
10. Capture traffic on port 53 (DNS):
11. Capture traffic from host 192.168.1.100:
    bash

    tcpdump src host 192.168.1.100

    1

12. Capture traffic to host 192.168.1.100:
    bash

    tcpdump dst host 192.168.1.100

    1

13. Capture traffic from port 80:
14. Capture traffic to port 443:
    bash

    tcpdump dst port 443

    1

15. Capture all TCP traffic:
16. Capture all UDP traffic:
17. Capture all ICMP traffic:
18. Capture traffic to or from network 192.168.1.0/24:
    bash

    tcpdump net 192.168.1.0/24

    1

19. Capture traffic from network 192.168.1.0/24:
    bash

    tcpdump src net 192.168.1.0/24

    1

20. Capture traffic to network 192.168.1.0/24:
    bash

    tcpdump dst net 192.168.1.0/24

    1

21. Capture traffic to host 192.168.1.100 on port 80:
    bash

    tcpdump dst host 192.168.1.100 and dst port 80

    1

22. Capture traffic from host 192.168.1.100 on port 443:
    bash

    tcpdump src host 192.168.1.100 and src port 443

    1

23. Capture traffic to or from host 192.168.1.100 on port 80 or 443:
    bash

    tcpdump host 192.168.1.100 and ( port 80 or port 443 )

    1

24. Capture all traffic except ICMP:
25. Capture all traffic except port 80:
26. Capture traffic with a specific TCP flag (SYN):
    bash

    tcpdump 'tcp[tcpflags] & tcp-syn != 0'

    1

27. Capture traffic with a specific TCP flag (ACK):
    bash

    tcpdump 'tcp[tcpflags] & tcp-ack != 0'

    1

28. Capture traffic with a specific TCP flag (RST):
    bash

    tcpdump 'tcp[tcpflags] & tcp-rst != 0'

    1

29. Capture traffic with a specific TCP flag (FIN):
    bash

    tcpdump 'tcp[tcpflags] & tcp-fin != 0'

    1

30. Capture traffic with a specific TCP flag (URG):
    bash

    tcpdump 'tcp[tcpflags] & tcp-urg != 0'

    1

31. Capture traffic with a specific TCP flag (PSH):
    bash

    tcpdump 'tcp[tcpflags] & tcp-push != 0'

    1

32. Capture traffic with a specific TCP flag (ALL):
    bash

    tcpdump 'tcp[tcpflags] = 0x01'

    1

33. Capture traffic with a specific TCP flag (NONE):
    bash

    tcpdump 'tcp[tcpflags] = 0x00'

    1

34. Capture traffic with a specific TCP flag (SYN/ACK):
    bash

    tcpdump 'tcp[tcpflags] = 0x12'

    1

35. Capture traffic with a specific TCP flag (SYN/RST):
    bash

    tcpdump 'tcp[tcpflags] = 0x14'

    1

36. Capture traffic with a specific TCP flag (SYN/FIN):
    bash

    tcpdump 'tcp[tcpflags] = 0x11'

    1

37. Capture traffic with a specific TCP flag (PSH/ACK):
    bash

    tcpdump 'tcp[tcpflags] = 0x18'

    1

38. Capture traffic with a specific IP fragment offset:
    bash

    tcpdump 'ip[6:2] & 0x1fff != 0'

    1

39. Capture traffic with a specific IP TTL:
    bash

    tcpdump 'ip[8] = 128'

    1

40. Capture traffic with a specific IP DSCP:
    bash

    tcpdump 'ip[1] & 0xfc >> 2 = 46'

    1

41. Capture traffic with a specific IP ECN:
    bash

    tcpdump 'ip[1] & 0x03 = 3'

    1

42. Capture traffic with a specific TCP sequence number:
    bash

    tcpdump 'tcp[4:4] = 12345678'

    1

43. Capture traffic with a specific TCP acknowledgement number:
    bash

    tcpdump 'tcp[8:4] = 87654321'

    1

44. Capture traffic with a specific TCP source port range:
    bash

    tcpdump 'tcp[0:2] > 1023 and tcp[0:2] < 65536'

    1

45. Capture traffic with a specific TCP destination port range:
    bash

    tcpdump 'tcp[2:2] > 1023 and tcp[2:2] < 65536'

    1

These examples should provide a solid foundation for using tcpdump to analyze network traffic.

Happy hunting!

-Daniel